8

I have a 4 port bridge:

root@Linux-Switch:~# brctl show
bridge name bridge id       STP enabled interfaces
br0     8000.000024cd2cb0   no      eth0
                            eth1
                            eth2
                            eth3

My goal is to limit the upload speed of the eth2 interface. (eth0 is the uplink interface to the upstream switch). I've been trying to do this via tc and iptables.

# tried in both the filter table and mangle table
iptables -A FORWARD -t mangle -m physdev --physdev-in eth2 -j MARK --set-mark 5 

tc qdisc add dev eth0 root handle 1:0 htb default 2
tc class add dev eth0 parent 1:0 classid 1:1 htb rate 1mbit ceil 1mbit
tc class add dev eth0 parent 1:0 classid 1:2 htb rate 5mbit ceil 5mbit
tc filter add dev eth0 parent 1:0 handle 5 fw flowid 1:1

I can see that the iptables rule is matching-

root@Linux-Switch:~# iptables -vL -t mangle
...

Chain FORWARD (policy ACCEPT 107K packets, 96M bytes)
 pkts bytes target     prot opt in     out     source   destination         
38269   11M MARK       all  --  any    any     anywhere anywhere     PHYSDEV match --physdev-in eth2 MARK set 0x5 

...
root@Linux-Switch:~#

But the tc config is not reading the fw mark; all traffic in port eth2 is being limited to the 5Mb default, not the 1Mb I'm attempting to configure.

root@Linux-Switch:~# tc -s class show dev eth0
class htb 1:1 root prio 0 rate 1000Kbit ceil 1000Kbit burst 100Kb cburst 100Kb 
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
 rate 0bit 0pps backlog 0b 0p requeues 0 
 lended: 0 borrowed: 0 giants: 0
 tokens: 200000 ctokens: 200000

class htb 1:2 root prio 0 rate 5000Kbit ceil 5000Kbit burst 100Kb cburst 100Kb 
 Sent 11465766 bytes 39161 pkt (dropped 0, overlimits 0 requeues 0) 
 rate 6744bit 3pps backlog 0b 0p requeues 0 
 lended: 39161 borrowed: 0 giants: 0
 tokens: 2454400 ctokens: 2454400

root@Linux-Switch:~#

What am I doing wrong?

tMC
  • 1,175
  • 1
  • 9
  • 12
  • Does it match if you add it on `br0` instead? Also specify the filter explicitely as 0x5 instead of just 5 at the command line (for both tc and iptables). – frostschutz Apr 04 '13 at 13:07
  • I have a similar setup with eth0 and wlan0 under bridge br0, I added same qdisc and class also applied filter, however, my iptable rule itself does not work. FORWARD chain does not receive packet. sending iperf traffic from wlan0 to eth0. – Haswell Jul 09 '23 at 10:20

1 Answers1

4

I figured it out- I had to specify a 'protocol' in the filter. I could find much documentation on this- all the examples I could find specified the protocol as 'ip' but since this a switch, I thought I'd try 'all' and it worked! 

tc qdisc add dev eth0 root handle 1:0 htb default 2
tc class add dev eth0 parent 1:0 classid 1:1 htb rate 1mbit ceil 1mbit
tc class add dev eth0 parent 1:0 classid 1:2 htb rate 5mbit ceil 5mbit
tc filter add dev eth0 parent 1:0 handle protocol all 5 fw flowid 1:1
tMC
  • 1,175
  • 1
  • 9
  • 12